A known method for encrypting a sequence of data blocks consists of a Cipher Block Chaining (CBC) process where each block of plaintext is combined with the preceding ciphertext block by using XOR operation before being encrypted. Each ciphertext block is thus dependent on all plaintext blocks processed before a given block. When the total length of the plaintext is not a multiple of the blocks length, a residual block of shorter length remains, an embodiment of the CBC process called Residual Block Termination is applied. The plaintext full blocks of the same length are encrypted by using the CBC mode except the last full block which is encrypted twice. Ciphered full blocks of a same length are thus obtained. The residual block of plaintext is XORed with leftmost bits of the re-encrypted last full block to obtain a ciphered residual block. At decryption, first the ciphered full blocks are decrypted by using the CBC mode. The last full block which is still encrypted is re-encrypted and the residual ciphered block is XORed with the leftmost bits of the re-encrypted last full block to obtain the complete plaintext.
The document “Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode”, Addendum to NIST Special Publication 800-38A, Morris Dworkin, October 2010 discloses three variants of Ciphertext Stealing mode based on CBC mode.
The three variants of CBC mode accept any plaintext input whose bit length is greater than or equal to the block size, whether or not the length is a multiple of the block size. Unlike the padding methods discussed in NIST SP 800-38A, Ref. [1], these variants avoid ciphertext expansion.
These variants are denoted CBC-CS1, CBC-CS2, and CBC-CS3, where “CS” indicates “ciphertext stealing,” because when padding bits are needed in these variants, they are taken from the penultimate ciphertext block. The variants differ only in the ordering of the ciphertext bits.
The known methods of blocks ciphering can be summarized as follow:

The grey cells show the drawbacks of the prior art methods A), B), C) and D).
A). Residual block termination (folklore, see e.g. “Residual block termination”, Wikipedia, http:en.wikipedia.org/wiki/Residual_block_termination): the residue is XORed with the encryption of the last full encrypted block, which requires the use of the encryption function for decrypting a plaintext.
B). Ciphertext stealing (folklore, see e.g. U.S. Pat. No. 5,684,876, or “Ciphertext stealing”, Wikipedia: http:en.wikipedia.org/wiki/Ciphertext_stealing#CBC_encryption_steps): the penultimate encrypted block having a length of x bits is split in y and (x-y) bits parts, the latter being concatenated to the residue of y bits before encryption and swap of the x bits result with the previous y bit part. It is the least simple method, for it requires splitting a block and out-of-order blocks processing.
C). Clear residual data: a solution sometimes adopted is to leave the y bits residue in clear, i.e. without any confidentiality protection. This is the simplest but least secure method.
D). XOR with constant: this method consists in XORing the residue with a key-dependent constant, such as the encryption of the initialization vector IV (as found in an IPTV scrambler, see e.g. ATIS-0800006: IIF Default Scrambling Algorithm (IDSA)—IPTV Interoperability Specification. ATIS, January 2007). It has a low security, as the knowledge of one plaintext ciphertext pairs make the method equivalent to method C) (because the constant used is then known).
Document W02008052141A2 discloses a method and apparatus for improved scrambling and/or descrambling of MPEG-2 transport stream packets over an Internet Protocol network. To scramble the transport packet streams Advance Encryption Standard (AES) under cipher block chaining (CBC) is used, wherein computation of an initialization vector (IV) set to either a constant number or to a programmable random number is performed.